[root@radius ~]# [root@radius ~]# radiusd -X radiusd: FreeRADIUS Version 2.2.10, for host x86_64-unknown-linux-gnu, built on Jan 30 2019 at 00:05:00 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /home/setup.radius/etc/raddb/radiusd.conf including configuration file /home/setup.radius/etc/raddb/proxy.conf including configuration file /home/setup.radius/etc/raddb/clients.conf including files in directory /home/setup.radius/etc/raddb/modules/ including configuration file /home/setup.radius/etc/raddb/modules/acct_unique including configuration file /home/setup.radius/etc/raddb/modules/always including configuration file /home/setup.radius/etc/raddb/modules/attr_filter including configuration file /home/setup.radius/etc/raddb/modules/attr_rewrite including configuration file /home/setup.radius/etc/raddb/modules/cache including configuration file /home/setup.radius/etc/raddb/modules/chap including configuration file /home/setup.radius/etc/raddb/modules/checkval including configuration file /home/setup.radius/etc/raddb/modules/counter including configuration file /home/setup.radius/etc/raddb/modules/cui including configuration file /home/setup.radius/etc/raddb/modules/detail including configuration file /home/setup.radius/etc/raddb/modules/detail.example.com including configuration file /home/setup.radius/etc/raddb/modules/detail.log including configuration file /home/setup.radius/etc/raddb/modules/dhcp_sqlippool including configuration file /home/setup.radius/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /home/setup.radius/etc/raddb/modules/digest including configuration file /home/setup.radius/etc/raddb/modules/dynamic_clients including configuration file /home/setup.radius/etc/raddb/modules/echo including configuration file /home/setup.radius/etc/raddb/modules/etc_group including configuration file /home/setup.radius/etc/raddb/modules/exec including configuration file /home/setup.radius/etc/raddb/modules/expiration including configuration file /home/setup.radius/etc/raddb/modules/expr including configuration file /home/setup.radius/etc/raddb/modules/files including configuration file /home/setup.radius/etc/raddb/modules/ippool including configuration file /home/setup.radius/etc/raddb/modules/krb5 including configuration file /home/setup.radius/etc/raddb/modules/linelog including configuration file /home/setup.radius/etc/raddb/modules/logintime including configuration file /home/setup.radius/etc/raddb/modules/mac2ip including configuration file /home/setup.radius/etc/raddb/modules/mac2vlan including configuration file /home/setup.radius/etc/raddb/modules/ntlm_auth including configuration file /home/setup.radius/etc/raddb/modules/opendirectory including configuration file /home/setup.radius/etc/raddb/modules/otp including configuration file /home/setup.radius/etc/raddb/modules/pam including configuration file /home/setup.radius/etc/raddb/modules/pap including configuration file /home/setup.radius/etc/raddb/modules/passwd including configuration file /home/setup.radius/etc/raddb/modules/perl including configuration file /home/setup.radius/etc/raddb/modules/policy including configuration file /home/setup.radius/etc/raddb/modules/preprocess including configuration file /home/setup.radius/etc/raddb/modules/radrelay including configuration file /home/setup.radius/etc/raddb/modules/radutmp including configuration file /home/setup.radius/etc/raddb/modules/realm including configuration file /home/setup.radius/etc/raddb/modules/redis including configuration file /home/setup.radius/etc/raddb/modules/rediswho including configuration file /home/setup.radius/etc/raddb/modules/replicate including configuration file /home/setup.radius/etc/raddb/modules/smbpasswd including configuration file /home/setup.radius/etc/raddb/modules/smsotp including configuration file /home/setup.radius/etc/raddb/modules/soh including configuration file /home/setup.radius/etc/raddb/modules/sql_log including configuration file /home/setup.radius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /home/setup.radius/etc/raddb/modules/sradutmp including configuration file /home/setup.radius/etc/raddb/modules/unix including configuration file /home/setup.radius/etc/raddb/modules/wimax including configuration file /home/setup.radius/etc/raddb/modules/inner-eap including configuration file /home/setup.radius/etc/raddb/modules/mschap including configuration file /home/setup.radius/etc/raddb/modules/ldap including configuration file /home/setup.radius/etc/raddb/modules/f_ticks including configuration file /home/setup.radius/etc/raddb/eap.conf including configuration file /home/setup.radius/etc/raddb/policy.conf including files in directory /home/setup.radius/etc/raddb/sites-enabled/ including configuration file /home/setup.radius/etc/raddb/sites-enabled/default including configuration file /home/setup.radius/etc/raddb/sites-enabled/inner-tunnel including configuration file /home/setup.radius/etc/raddb/sites-enabled/control-socket including configuration file /home/setup.radius/etc/raddb/sites-enabled/eduroam including configuration file /home/setup.radius/etc/raddb/sites-enabled/eduroam-inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /home/setup.radius/etc/raddb/dictionary main { name = "radiusd" prefix = "/home/setup.radius" localstatedir = "/home/setup.radius/var" sbindir = "/home/setup.radius/sbin" logdir = "/home/setup.radius/var/log/radius" run_dir = "/home/setup.radius/var/run/radiusd" libdir = "/home/setup.radius/lib" radacctdir = "/home/setup.radius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/home/setup.radius/var/run/radiusd/radiusd.pid" checkrad = "/home/setup.radius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "IDENTITY MASKED" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm NULL { authhost = LOCAL } realm x.com { authhost = LOCAL } realm DEFAULT { nostrip authhost = flr1.eduroam.ernet.in secret = IDENTITY MASKED } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "IDENTITY MASKED" nastype = "other" } client 10.250.200.52 { require_message_authenticator = no secret = "IDENTITY MASKED" } client iitap { ipaddr = 103.21.127.8 require_message_authenticator = no secret = "IDENTITY MASKED" } client cisco-controller { ipaddr = 10.196.3.252 require_message_authenticator = no secret = "IDENTITY MASKED" } client 10.250.1.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "mojo-dc" } client 10.250.9.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "classrooms-left" } client 10.250.10.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "classrooms-middle" } client 10.250.11.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "classrooms-right" } client 10.250.12.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "lcr-lab" } client 10.250.26.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "mess-building" } client 10.250.27.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-1" } client 10.250.28.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-2" } client 10.250.29.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-3" } client 10.250.30.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-4" } client 10.250.31.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-5" } client 10.250.32.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-6" } client 10.250.33.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-7" } client 10.250.34.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-8" } client 10.250.35.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-9" } client 10.250.36.0/24 { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "hostel-10" } client flr1.eduroam.ernet.in { require_message_authenticator = no secret = "IDENTITY MASKED" shortname = "flr1" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /home/setup.radius/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /home/setup.radius/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /home/setup.radius/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /home/setup.radius/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /home/setup.radius/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /home/setup.radius/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /home/setup.radius/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /home/setup.radius/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /home/setup.radius/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /home/setup.radius/etc/raddb/modules/unix unix { radwtmp = "/home/setup.radius/var/log/radius/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /home/setup.radius/etc/raddb/modules/ldap ldap { server = "ldap.x.com" port = 389 password = "IDENTITY MASKED" expect_password = yes identity = "cn=wireless,ou=people,dc=x,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=people,dc=x,dc=com" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web))" base_filter = "(objectclass=posixAccount)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" dictionary_mapping = "/home/setup.radius/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /home/setup.radius/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP employeeType mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP departmentNumber mapped to RADIUS Dept-Number conns: 0x1ce6f80 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /home/setup.radius/etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/home/setup.radius/etc/raddb/certs/server.key" certificate_file = "/home/setup.radius/etc/raddb/certs/server.pem" CA_file = "/home/setup.radius/etc/raddb/certs/ca.pem" private_key_password = "IDENTITY MASKED" dh_file = "/home/setup.radius/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /home/setup.radius/etc/raddb/modules/preprocess preprocess { huntgroups = "/home/setup.radius/etc/raddb/huntgroups" hints = "/home/setup.radius/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /home/setup.radius/etc/raddb/huntgroups reading pairlist file /home/setup.radius/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /home/setup.radius/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /home/setup.radius/etc/raddb/modules/files files { usersfile = "/home/setup.radius/etc/raddb/users" acctusersfile = "/home/setup.radius/etc/raddb/acct_users" preproxy_usersfile = "/home/setup.radius/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /home/setup.radius/etc/raddb/users reading pairlist file /home/setup.radius/etc/raddb/acct_users reading pairlist file /home/setup.radius/etc/raddb/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /home/setup.radius/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /home/setup.radius/etc/raddb/modules/detail detail { detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /home/setup.radius/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/home/setup.radius/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /home/setup.radius/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /home/setup.radius/etc/raddb/modules/radutmp radutmp { filename = "/home/setup.radius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /home/setup.radius/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/home/setup.radius/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /home/setup.radius/etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /home/setup.radius/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server eduroam { # from file /home/setup.radius/etc/raddb/sites-enabled/eduroam modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Instantiating module "auth_log" from file /home/setup.radius/etc/raddb/modules/detail.log detail auth_log { detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Checking preacct {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "pre_proxy_log" from file /home/setup.radius/etc/raddb/modules/detail.log detail pre_proxy_log { detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Instantiating module "attr_filter.pre-proxy" from file /home/setup.radius/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/home/setup.radius/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /home/setup.radius/etc/raddb/attrs.pre-proxy Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /home/setup.radius/etc/raddb/modules/detail.log detail post_proxy_log { detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Instantiating module "attr_filter.post-proxy" from file /home/setup.radius/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/home/setup.radius/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /home/setup.radius/etc/raddb/attrs Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /home/setup.radius/etc/raddb/modules/detail.log detail reply_log { detailfile = "/home/setup.radius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_linelog Module: Instantiating module "f_ticks" from file /home/setup.radius/etc/raddb/modules/f_ticks linelog f_ticks { filename = "syslog" permissions = 384 format = "" reference = "f_ticks.%{%{reply:Packet-Type}:-format}" } } # modules } # server server eduroam-inner-tunnel { # from file /home/setup.radius/etc/raddb/sites-enabled/eduroam-inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/home/setup.radius/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 51478 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /home/setup.radius/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=57, length=192 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x028f000e01746573742e66616331 Message-Authenticator = 0x2dd69a2b06c00a9de727d4d4910b6878 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 143 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test.fac1 [ldap] expand: %{Stripped-User-Name} -> test.fac1 [ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap.x.com:389, authentication 0 [ldap] bind as cn=wireless,ou=people,dc=x,dc=com/IDENTITY MASKED to ldap.x.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED" [ldap] ntPassword -> NT-Password == IDENTITY MASKED [ldap] lmPassword -> LM-Password == IDENTITY MASKED [ldap] looking for reply items in directory... [ldap] departmentNumber -> Dept-Number = "CSE" [ldap] employeeType -> Filter-Id = "FAC" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 57 to 103.21.127.8 port 36461 Filter-Id = "FAC" EAP-Message = 0x019000061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138447108b3ddc39d6e6b8fcf3a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=58, length=345 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x0290009519800000008b1603010086010000820303d2d0dcb341329d470a66620c85cd9ca95100b951585a83e2f3322088b8f8249d00002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403040105030501060306010201000b00020100000a00080006001d00170018 State = 0x44e11138447108b3ddc39d6e6b8fcf3a Message-Authenticator = 0xd3225adc21222bbe08c40088f3124cca # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 144 length 149 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 139 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< Unknown TLS version [length 0086] [peap] TLS_accept: SSLv3 read client hello A [peap] >>> Unknown TLS version [length 0039] [peap] TLS_accept: SSLv3 write server hello A [peap] >>> Unknown TLS version [length 08ee] [peap] TLS_accept: SSLv3 write certificate A [peap] >>> Unknown TLS version [length 014d] [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> Unknown TLS version [length 0004] [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A [peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 58 to 103.21.127.8 port 36461 EAP-Message = 0x0191040019c000000a8c16030300390200003503038a81216071d4a6c42a243fe76ac8ac6975080bef93f45b079d6679283f973ca100c02f00000dff01000100000b00040300010216030308ee0b0008ea0008e70003e7308203e3308202cba003020102020101300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420 EAP-Message = 0x436572746966696361746520417574686f72697479301e170d3139303133303135303530355a170d3231303132393135303530355a307f310b300906035504061302494e3112301006035504080c094b61726e6174616b6131143012060355040a0c0b49495420446861727761643122302006035504030c19526164697573205365727665722043657274696669636174653122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b0955b319f1f6621f5607ecbb49f744a0a0f78ea4e31d19a0ca744addd9045bb0220d89bbc EAP-Message = 0x8b6d6169b9fb0c255bc7ade7d879902aa4a060f96cd4e0c25ff660cdf5ecf4492055712b6d334868161dea5f988314bc360df494f987900b0f6fd8b6a0e3e63e7577ad34c71e55cb327d7d57b5fe3c38dacdf153ed5a14a62f438b815cc91102a28033020c8373e7b82484c3f04fe984847437e62d4769ff7c40081dc6651d2736549bf4fa9e3108ef872332aded8f649ed1e11892a3cfa16566b15e183bc0f8c99b698830c692f383b890b8a0730a7458d0b2348bf314efbb066ceaf4bb1f70e0be1255bee09c84db6bb06f77ea9efa36519b644b1f50a79ad90203010001a34f304d30130603551d25040c300a06082b060105050703013036060355 EAP-Message = 0x1d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101001302ed567f477a828a34effb1be5a87e140173473485fb8d310719ed80a926c14c95b72b15f2e6331a43b733a5ad2fe1e495ae3896a1499c6825a616d6bc51cdcf660a6069172eba30489bec9a8729f2821188bad3678a2a1678f73f6b2fe4fdbaad7a72549c9663e324fcd6c8e08ebed908a58166de237c39ee4f8e295802381abf228dbfa129ca7bfd4c75eafa134590cda55af27e3bbe9a850a6317c41924637b35dd3d0d5534e28f7db9407abe986a46b8cbf387 EAP-Message = 0x593d2de647de76683cb6fd95 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138457008b3ddc39d6e6b8fcf3a Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=59, length=202 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x029100061900 State = 0x44e11138457008b3ddc39d6e6b8fcf3a Message-Authenticator = 0x3ee8595df00a1545ca24ced1373b4224 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 145 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 59 to 103.21.127.8 port 36461 EAP-Message = 0x019203fc1940596fb2deeec8722992cfd5833f268aeb321265faf276fc6fdaaa84e70e7192f149ab519dc832ca469e28473b8f5154c9449aa3f4519393f587349a0d6bfb0004fa308204f6308203dea003020102020900b195ed2925374bc5300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c214949542044686172776164204365727469666963 EAP-Message = 0x61746520417574686f72697479301e170d3139303133303135303334375a170d3231303132393135303334375a308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aa60dd6c677c68f395a7930d0684d20cc116ff EAP-Message = 0x7ab3141d129e8939f7732f3e873fc5c79fe51fa6de2a0cdf01343299207284c9075fafd7ee5bff3bcb284bb9bea69700da15b0bb3e96d640794669c604fd0c2bb7fcf1336cf8cca9debb776889af2e45af9615c27f1f996ca8d1f768406010da1912ad8c7d3ed71e97933b6fd9fab9ce7fe8bfd7a1bb8b7d3c611b8f2f6b5868a4ae7296c4c170a807e2dc553e21c93e9d8cb8f2b3a769999c5060de8b827b069c447fbe7e3707e3855976122cd434f078414c6512c35079db5708ee0f7e5ec3284c30e74c3d8f9f7e8c2d88f12ff557ebbcdc409bb58b339946a61af8198d3ddc55c6b9c3589f473734c7de390203010001a382013d30820139301d06 EAP-Message = 0x03551d0e04160414876f3b6ff4f034850d26e76d1cfa4727e22231683081ce0603551d230481c63081c38014876f3b6ff4f034850d26e76d1cfa4727e2223168a1819fa4819c308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f72697479820900b195ed2925374bc5300f0603551d130101ff040530030101 EAP-Message = 0xff30360603551d1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138467308b3ddc39d6e6b8fcf3a Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=60, length=202 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x029200061900 State = 0x44e11138467308b3ddc39d6e6b8fcf3a Message-Authenticator = 0xfb8fd96993eb4d189d63eb354bdcaf70 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 146 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 60 to 103.21.127.8 port 36461 EAP-Message = 0x019302a61900042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010004198cd9513bbda7757818012765e60d14d05dd60f18760c5e8726bb1c24da7347d6a13aa7feac3e7babaa4c0025d30906dd493ec9b861693893252c170010289afd64d7a9ef04742b44e7483698f7afb4dd629a1ffd15912faacc78959fcbc244600752e2ae04809970f4f3bd066fc6d1106aa64982437ee4ced6f4a9c539416fdd01ad64cfc3f3d2ffd2bdd25cd979e58bfaf16ff856ee621cdfa39093942e0921814b3d00fa00d1d07311be051b5b9967 EAP-Message = 0xdc7a3c57fc2966073ac687529d646828040221acc839d856edd6a4d02fe265cedeea60cd4a6aa6da58de81bc11e002b1a6c00e97633e3781ef0ba790daae2e8f8dd5d5eaa6a4f6ae661d3c4c68e9160303014d0c00014903001741048157f67ad47b7975a3d5ef988ece4a22b7943cc6f4c831e12728f5469326775a6a2dd6bbdd06b86fa847470a73979f1a5cc1a2680d2f773243a2e954628a9f15040101008f382e96ba39664314647b136fa536cb5a74eda264fcdb9b369d9ee871ea3481ae4e7e1bc70e235e618fa403256a2636b9dfca45f6a1cd3751e6d6e164454e4e1b41a071187a5b139e0a40dff98594f42ce8de431658c12f452353a6e1 EAP-Message = 0xd2cf8ab2d0a2254b5a8701c3bdaa36f7078c26514d266e58200d425e1975c768b816581ab3324a7250a97157b66418b6680b70bf18e5d1d6220e2d4200844a39658722c27b08663766a3b7bb1d0adac8895c7dc0907234867ad31ba910819b1d7be6b41a54ce2e2486b27b1655c10a0842cf0ff4066307d425b368413da5c067f0913b9ca5e7165fac1eb81f8bd2e7c50d717dcdc15c07d340bf65dfc308b68682b32916030300040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138477208b3ddc39d6e6b8fcf3a Finished request 3. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=61, length=332 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x0293008819800000007e160303004610000042410441c65da909b29363fb6d94d11341d1a63737fc33858564e4777d1fba3938d34f6b6cde48fddbeaaa5b57166b057abae5919baef12bff79e808bb1c48fe2181dd14030300010116030300280000000000000000b56cff1d8d1a458245408995a7011c578778ff8cc1f11b05a84277633e87496c State = 0x44e11138477208b3ddc39d6e6b8fcf3a Message-Authenticator = 0xeebfb14c48e28cd794fa1ef51956772b # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 147 length 136 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< Unknown TLS version [length 0046] [peap] TLS_accept: SSLv3 read client key exchange A [peap] TLS_accept: SSLv3 read certificate verify A [peap] <<< Unknown TLS version [length 0001] [peap] <<< Unknown TLS version [length 0010] [peap] TLS_accept: SSLv3 read finished A [peap] >>> Unknown TLS version [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> Unknown TLS version [length 0010] [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 61 to 103.21.127.8 port 36461 EAP-Message = 0x019400391900140303000101160303002814208a69892760c3d1a54ca7591eb5f1381a96fcf9ce7e665ca765a62869c80ebc159d7b5abf84d5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138407508b3ddc39d6e6b8fcf3a Finished request 4. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=62, length=202 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x029400061900 State = 0x44e11138407508b3ddc39d6e6b8fcf3a Message-Authenticator = 0x4924f62a9f2a41b5c9ac17caab27d7ee # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 148 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 62 to 103.21.127.8 port 36461 EAP-Message = 0x019500281900170303001d14208a69892760c405708180ee60e4d4a6b47310941d12bd78d06c7e3a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138417408b3ddc39d6e6b8fcf3a Finished request 5. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=63, length=241 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x0295002d190017030300220000000000000001dca5af0083d483ffafd631c034efed7ea97d0207ef4bd21fb770 State = 0x44e11138417408b3ddc39d6e6b8fcf3a Message-Authenticator = 0x002dc507d8c58f08dc250b9e135fa976 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 149 length 45 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test.fac1 [peap] Got inner identity 'test.fac1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0295000e01746573742e66616331 server { [peap] Setting User-Name to test.fac1 Sending tunneled request EAP-Message = 0x0295000e01746573742e66616331 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 NAS-IP-Address = 103.21.127.8 server { # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 149 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test.fac1 [ldap] expand: %{Stripped-User-Name} -> test.fac1 [ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED" [ldap] ntPassword -> NT-Password == IDENTITY MASKED [ldap] lmPassword -> LM-Password == IDENTITY MASKED [ldap] looking for reply items in directory... [ldap] departmentNumber -> Dept-Number = "CSE" [ldap] employeeType -> Filter-Id = "FAC" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server [peap] Got tunneled reply code 11 Dept-Number = "CSE" Filter-Id = "FAC" EAP-Message = 0x019600231a0196001e1081d4aede15f3e759d816150f9f90d0d9746573742e66616331 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x259b8c2c250d963050bba180eb895341 [peap] Got tunneled reply RADIUS code Access-Challenge Dept-Number = "CSE" Filter-Id = "FAC" EAP-Message = 0x019600231a0196001e1081d4aede15f3e759d816150f9f90d0d9746573742e66616331 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x259b8c2c250d963050bba180eb895341 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 63 to 103.21.127.8 port 36461 EAP-Message = 0x019600421900170303003714208a69892760c5976feee0c355b169fb0c3d9fdc4724796bc532c9fb4ed9af0fcefb0d4bcfbee14863a2ffb97e47b5414a148ead167d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138427708b3ddc39d6e6b8fcf3a Finished request 6. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=64, length=295 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x02960063190017030300580000000000000002f46448f8de434237a7801a1bfb84e5ab19879f21b09ec99ec48d2d6c970acd1b419056751d7ab0301ad2bbe80d1fe0150900afecd21455e9e133df368545eee2b5b9e6666278a19158420a986f896fd6 State = 0x44e11138427708b3ddc39d6e6b8fcf3a Message-Authenticator = 0xca1c9218629941b0c5afe8dbf00724ab # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 150 length 99 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x029600441a0296003f310b504e9d0939a2a45337a15051a7e9c50000000000000000d4337995d2e6033e7ada08d52e715f700cc345f3ce7f619100746573742e66616331 server { [peap] Setting User-Name to test.fac1 Sending tunneled request EAP-Message = 0x029600441a0296003f310b504e9d0939a2a45337a15051a7e9c50000000000000000d4337995d2e6033e7ada08d52e715f700cc345f3ce7f619100746573742e66616331 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test.fac1" State = 0x259b8c2c250d963050bba180eb895341 Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 NAS-IP-Address = 103.21.127.8 server { # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 150 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test.fac1 [ldap] expand: %{Stripped-User-Name} -> test.fac1 [ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=x,dc=com, with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED" [ldap] ntPassword -> NT-Password == IDENTITY MASKED [ldap] lmPassword -> LM-Password == IDENTITY MASKED [ldap] looking for reply items in directory... [ldap] departmentNumber -> Dept-Number = "CSE" [ldap] employeeType -> Filter-Id = "FAC" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default [mschapv2] +group MS-CHAP { [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Creating challenge hash with username: test.fac1 [mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [test.fac1/] (from client iitap port 0 cli D4-63-C6-9E-33-BD via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test.fac1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server [peap] Got tunneled reply code 3 MS-CHAP-Error = "\226E=691 R=1" EAP-Message = 0x04960004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\226E=691 R=1" EAP-Message = 0x04960004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 64 to 103.21.127.8 port 36461 EAP-Message = 0x0197002e1900170303002314208a69892760c6d80a328ac500594d0d4490eb89a52ae61d21e1b7b75e6ac66dd5d5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e11138437608b3ddc39d6e6b8fcf3a Finished request 7. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=65, length=242 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-0000000F" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x0297002e1900170303002300000000000000032c20d0d40984d0150ae6d7f7f1ec0f16cfba56df3cab8b8ffea6fa State = 0x44e11138437608b3ddc39d6e6b8fcf3a Message-Authenticator = 0xa3b190fd72bdabffc94e17b43d816c26 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 151 length 46 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [test.fac1/] (from client iitap port 0 cli D4-63-C6-9E-33-BD) Using Post-Auth-Type Reject # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test.fac1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 65 to 103.21.127.8 port 36461 EAP-Message = 0x04970004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Cleaning up request 0 ID 57 with timestamp +9 Cleaning up request 1 ID 58 with timestamp +9 Cleaning up request 2 ID 59 with timestamp +9 Cleaning up request 3 ID 60 with timestamp +9 Cleaning up request 4 ID 61 with timestamp +9 Cleaning up request 5 ID 62 with timestamp +9 Cleaning up request 6 ID 63 with timestamp +9 Cleaning up request 7 ID 64 with timestamp +9 Waking up in 1.0 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=66, length=192 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x0254000e01746573742e66616331 Message-Authenticator = 0xb1f5642ffb6186f10c15f40d590ad472 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 84 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test.fac1 [ldap] expand: %{Stripped-User-Name} -> test.fac1 [ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED" [ldap] ntPassword -> NT-Password == IDENTITY MASKED [ldap] lmPassword -> LM-Password == IDENTITY MASKED [ldap] looking for reply items in directory... [ldap] departmentNumber -> Dept-Number = "CSE" [ldap] employeeType -> Filter-Id = "FAC" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 66 to 103.21.127.8 port 36461 Filter-Id = "FAC" EAP-Message = 0x015500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df6197448b300864323b9fbe1 Finished request 9. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=67, length=297 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x0255006519800000005b1603010056010000520301d678c93bb35b8d588af31841a9e833a163183e106c04f17966853081dc8c11a100000ec009c013c00ac014002f0035000a0100001bff0100010000170000000b00020100000a00080006001d00170018 State = 0xf64c6d3df6197448b300864323b9fbe1 Message-Authenticator = 0x40487db218603f578938282c0342e7f5 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 85 length 101 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 91 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0056], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 08ee], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A [peap] TLS_accept: Need to read more data: SSLv3 read client key exchange A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 67 to 103.21.127.8 port 36461 EAP-Message = 0x0156040019c000000a8a16030100390200003503019e2b6b478b9fe46aa8e79606a1150b2d2d3e31a93be3183372984558b8cd691000c01300000dff01000100000b00040300010216030108ee0b0008ea0008e70003e7308203e3308202cba003020102020101300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420 EAP-Message = 0x436572746966696361746520417574686f72697479301e170d3139303133303135303530355a170d3231303132393135303530355a307f310b300906035504061302494e3112301006035504080c094b61726e6174616b6131143012060355040a0c0b49495420446861727761643122302006035504030c19526164697573205365727665722043657274696669636174653122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b0955b319f1f6621f5607ecbb49f744a0a0f78ea4e31d19a0ca744addd9045bb0220d89bbc EAP-Message = 0x8b6d6169b9fb0c255bc7ade7d879902aa4a060f96cd4e0c25ff660cdf5ecf4492055712b6d334868161dea5f988314bc360df494f987900b0f6fd8b6a0e3e63e7577ad34c71e55cb327d7d57b5fe3c38dacdf153ed5a14a62f438b815cc91102a28033020c8373e7b82484c3f04fe984847437e62d4769ff7c40081dc6651d2736549bf4fa9e3108ef872332aded8f649ed1e11892a3cfa16566b15e183bc0f8c99b698830c692f383b890b8a0730a7458d0b2348bf314efbb066ceaf4bb1f70e0be1255bee09c84db6bb06f77ea9efa36519b644b1f50a79ad90203010001a34f304d30130603551d25040c300a06082b060105050703013036060355 EAP-Message = 0x1d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101001302ed567f477a828a34effb1be5a87e140173473485fb8d310719ed80a926c14c95b72b15f2e6331a43b733a5ad2fe1e495ae3896a1499c6825a616d6bc51cdcf660a6069172eba30489bec9a8729f2821188bad3678a2a1678f73f6b2fe4fdbaad7a72549c9663e324fcd6c8e08ebed908a58166de237c39ee4f8e295802381abf228dbfa129ca7bfd4c75eafa134590cda55af27e3bbe9a850a6317c41924637b35dd3d0d5534e28f7db9407abe986a46b8cbf387 EAP-Message = 0x593d2de647de76683cb6fd95 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df71a7448b300864323b9fbe1 Finished request 10. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=68, length=202 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x025600061900 State = 0xf64c6d3df71a7448b300864323b9fbe1 Message-Authenticator = 0x0c7944c040b7dc222f748f85c9c53651 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 86 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 68 to 103.21.127.8 port 36461 EAP-Message = 0x015703fc1940596fb2deeec8722992cfd5833f268aeb321265faf276fc6fdaaa84e70e7192f149ab519dc832ca469e28473b8f5154c9449aa3f4519393f587349a0d6bfb0004fa308204f6308203dea003020102020900b195ed2925374bc5300d06092a864886f70d01010b0500308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c214949542044686172776164204365727469666963 EAP-Message = 0x61746520417574686f72697479301e170d3139303133303135303334375a170d3231303132393135303334375a308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aa60dd6c677c68f395a7930d0684d20cc116ff EAP-Message = 0x7ab3141d129e8939f7732f3e873fc5c79fe51fa6de2a0cdf01343299207284c9075fafd7ee5bff3bcb284bb9bea69700da15b0bb3e96d640794669c604fd0c2bb7fcf1336cf8cca9debb776889af2e45af9615c27f1f996ca8d1f768406010da1912ad8c7d3ed71e97933b6fd9fab9ce7fe8bfd7a1bb8b7d3c611b8f2f6b5868a4ae7296c4c170a807e2dc553e21c93e9d8cb8f2b3a769999c5060de8b827b069c447fbe7e3707e3855976122cd434f078414c6512c35079db5708ee0f7e5ec3284c30e74c3d8f9f7e8c2d88f12ff557ebbcdc409bb58b339946a61af8198d3ddc55c6b9c3589f473734c7de390203010001a382013d30820139301d06 EAP-Message = 0x03551d0e04160414876f3b6ff4f034850d26e76d1cfa4727e22231683081ce0603551d230481c63081c38014876f3b6ff4f034850d26e76d1cfa4727e2223168a1819fa4819c308199310b300906035504061302494e3112301006035504080c094b61726e6174616b613110300e06035504070c074468617277616431143012060355040a0c0b49495420446861727761643122302006092a864886f70d01090116136d6f6e69746f724069697464682e61632e696e312a302806035504030c21494954204468617277616420436572746966696361746520417574686f72697479820900b195ed2925374bc5300f0603551d130101ff040530030101 EAP-Message = 0xff30360603551d1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df41b7448b300864323b9fbe1 Finished request 11. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=69, length=202 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x025700061900 State = 0xf64c6d3df41b7448b300864323b9fbe1 Message-Authenticator = 0xc98bb4213da02a2bf288105768d12fde # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 87 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 69 to 103.21.127.8 port 36461 EAP-Message = 0x015802a41900042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010004198cd9513bbda7757818012765e60d14d05dd60f18760c5e8726bb1c24da7347d6a13aa7feac3e7babaa4c0025d30906dd493ec9b861693893252c170010289afd64d7a9ef04742b44e7483698f7afb4dd629a1ffd15912faacc78959fcbc244600752e2ae04809970f4f3bd066fc6d1106aa64982437ee4ced6f4a9c539416fdd01ad64cfc3f3d2ffd2bdd25cd979e58bfaf16ff856ee621cdfa39093942e0921814b3d00fa00d1d07311be051b5b9967 EAP-Message = 0xdc7a3c57fc2966073ac687529d646828040221acc839d856edd6a4d02fe265cedeea60cd4a6aa6da58de81bc11e002b1a6c00e97633e3781ef0ba790daae2e8f8dd5d5eaa6a4f6ae661d3c4c68e9160301014b0c00014703001741040d841ac3f3b76165676c6d3675c5da6ed6fc2dbe21eafe8bff3a1875a6b09c7fbfa944e627f73f938436e15b2b9cd487c57d174fe30cc58abed44e565165b718010056087dac83ac59634d1490ad81d2e0aad11aa1b28ee3d16a6db5f418034d3fce67cb8197a2cf90e46333a29ecc688bc110737db7d4ef25615a8a935ee2e42d73858a002a7efe6627c0697be76cbcbcfec572418656ef189356114b5cc7f569 EAP-Message = 0x3bde8c68608d63a18194c0331ee8620812a6769028fc2dd85f74c5718635ec6c8660953293de1a319ff9850ff66756040912649cb88451a988d26de947d626e1d8bb98b66a3c913486a1dc5f8fe4c91d694268160236d2b15f4bf87b84fedef58ce0bf5282a83c3f06fd559088fe00c72dd5bcccabcf179afa13a7e6b5edcc047de07ef00c13ddf0bae88c847c1b2172ee09aa4b301f47d30efde6e0d1ff790c0916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df5147448b300864323b9fbe1 Finished request 12. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=70, length=340 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x025800901980000000861603010046100000424104584ba16d97871d2891aa9b3bea5e229fb2ce811431686caba1a8d84d812d5a7055114e286242d70be0b23dde2c418e89a88d080094004b18b1e2939714ae26e81403010001011603010030c070f2b7d3c54b88f31acb7bf6319262642b1bd6484bfdb1a741a78e11b953369205f391a8136f425bbfb69ef8d6af4b State = 0xf64c6d3df5147448b300864323b9fbe1 Message-Authenticator = 0x31c135f80dcf8a27bf0a22d3c94d09f4 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 88 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] TLS_accept: SSLv3 read certificate verify A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 70 to 103.21.127.8 port 36461 EAP-Message = 0x01590041190014030100010116030100303bc90209e19f2430e55f5cbf00985af02cc61b69f0019ba85b767277063e8e0ed97f0d895170f858cd8a28fc3afb424b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df2157448b300864323b9fbe1 Finished request 13. Going to the next request Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=71, length=202 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x025900061900 State = 0xf64c6d3df2157448b300864323b9fbe1 Message-Authenticator = 0xab95c807c503f9ad0d789ce03832f569 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 89 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 71 to 103.21.127.8 port 36461 EAP-Message = 0x015a002b190017030100206f4920eb854df0451d363d165f7acf473630057ee08cc02c12b201b5f6702598 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df3167448b300864323b9fbe1 Finished request 14. Going to the next request Waking up in 0.5 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=72, length=239 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x025a002b190017030100205c65d1d796601360dcb13de2236f36e89ff35c42816dca8cf98ae434d714ceac State = 0xf64c6d3df3167448b300864323b9fbe1 Message-Authenticator = 0x006d13f8c9b7a38a4c26610332abd833 # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 90 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test.fac1 [peap] Got inner identity 'test.fac1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x025a000e01746573742e66616331 server { [peap] Setting User-Name to test.fac1 Sending tunneled request EAP-Message = 0x025a000e01746573742e66616331 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 NAS-IP-Address = 103.21.127.8 server { # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 90 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test.fac1 [ldap] expand: %{Stripped-User-Name} -> test.fac1 [ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=x,dc=com, with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED" [ldap] ntPassword -> NT-Password == IDENTITY MASKED [ldap] lmPassword -> LM-Password == IDENTITY MASKED [ldap] looking for reply items in directory... [ldap] departmentNumber -> Dept-Number = "CSE" [ldap] employeeType -> Filter-Id = "FAC" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server [peap] Got tunneled reply code 11 Dept-Number = "CSE" Filter-Id = "FAC" EAP-Message = 0x015b00231a015b001e106531f4bf18f818e8e4221a8bd460bf2e746573742e66616331 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9066a9d2903db333e0a2f21a2e0aad03 [peap] Got tunneled reply RADIUS code Access-Challenge Dept-Number = "CSE" Filter-Id = "FAC" EAP-Message = 0x015b00231a015b001e106531f4bf18f818e8e4221a8bd460bf2e746573742e66616331 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9066a9d2903db333e0a2f21a2e0aad03 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 72 to 103.21.127.8 port 36461 EAP-Message = 0x015b004b190017030100404b1b14f967f93b961efe2df125d134cf7b14d87cb1bd2cca9eab812b0fb1c55bf3c06d90b7abb0d91e0ad2dd0d41fea13bed09e1b8300d6ffdfd8a6ccd9c7879 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df0177448b300864323b9fbe1 Finished request 15. Going to the next request Waking up in 0.5 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=73, length=303 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x025b006b19001703010060378eb43c3a7e9f6cc65f24c1420572c0011ee5ac5f81d2bf033378dcc7b83f865d841b8d035876eaaa399e63b1a14690a35229e04578007d3bd51e76a41288e8ec1e0637e6643a09c5e0bab192d14fb71c68c742c21d5f0e83064bddcd34c7e3 State = 0xf64c6d3df0177448b300864323b9fbe1 Message-Authenticator = 0x35c0d2f07afba1d971703de5e1484e9c # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 91 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x025b00441a025b003f310c0d01affbc837bc31ce19af039a159500000000000000006a76b0df704322f1aee34d2891a1fcdba145f497f3c5d33300746573742e66616331 server { [peap] Setting User-Name to test.fac1 Sending tunneled request EAP-Message = 0x025b00441a025b003f310c0d01affbc837bc31ce19af039a159500000000000000006a76b0df704322f1aee34d2891a1fcdba145f497f3c5d33300746573742e66616331 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test.fac1" State = 0x9066a9d2903db333e0a2f21a2e0aad03 Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 NAS-IP-Address = 103.21.127.8 server { # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 91 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test.fac1 [ldap] expand: %{Stripped-User-Name} -> test.fac1 [ldap] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(policy=accept)(enabledapps=web)) -> (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] expand: ou=people,dc=x,dc=com -> ou=people,dc=x,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=x,dc=com with filter (&(uid=test.fac1)(policy=accept)(enabledapps=web)) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}IDENTITY MASKED" [ldap] ntPassword -> NT-Password == IDENTITY MASKED [ldap] lmPassword -> LM-Password == IDENTITY MASKED [ldap] looking for reply items in directory... [ldap] departmentNumber -> Dept-Number = "CSE" [ldap] employeeType -> Filter-Id = "FAC" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default [mschapv2] +group MS-CHAP { [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Creating challenge hash with username: test.fac1 [mschap] Client is using MS-CHAPv2 for test.fac1, we need NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [test.fac1/] (from client iitap port 0 cli D4-63-C6-9E-33-BD via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test.fac1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server [peap] Got tunneled reply code 3 MS-CHAP-Error = "[E=691 R=1" EAP-Message = 0x045b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "[E=691 R=1" EAP-Message = 0x045b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 73 to 103.21.127.8 port 36461 EAP-Message = 0x015c002b19001703010020c9b3ce265f03e10c55e890396b6ffdcb8ca7f5811b9169c5d1268f4e16706a49 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64c6d3df1107448b300864323b9fbe1 Finished request 16. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 103.21.127.8 port 36461, id=74, length=239 User-Name = "test.fac1" Called-Station-Id = "2C-4D-54-CA-B7-D8:ASUS_D8_2G" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "D4-63-C6-9E-33-BD" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "CC7E34D6-00000010" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027074 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x025c002b190017030100209a17fa6c0aec67a9c31f4f734b75ca7850221c5039f2b31171ca60a8bb087267 State = 0xf64c6d3df1107448b300864323b9fbe1 Message-Authenticator = 0xda86c8f02d3c4c10537082485fac5efa # Executing section authorize from file /home/setup.radius/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test.fac1", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test.fac1" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 92 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [test.fac1/] (from client iitap port 0 cli D4-63-C6-9E-33-BD) Using Post-Auth-Type Reject # Executing group from file /home/setup.radius/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test.fac1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.3 seconds. Cleaning up request 8 ID 65 with timestamp +9 Waking up in 0.6 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 74 to 103.21.127.8 port 36461 EAP-Message = 0x045c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. ^C [root@radius ~]#